Description
Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication.

The vendor was notified early about this vulnerability, but stopped responding in the middle of coordination. All versions up to 3.18.2 are considered to be vulnerable, future versions might also be vulnerable.
Published: 2026-03-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via publicly accessible SVG uploads by an authenticated uploader
Action: Disable SVG
AI Analysis

Impact

Bludit’s image upload feature permits an authenticated user with author, editor, or administrator privileges to upload an SVG file that includes a malicious script. When a visitor requests the URL of the uploaded file, the script executes in the victim’s browser, enabling session hijacking, redirection, or other client‑side attacks. The flaw therefore provides a vector for arbitrary script execution on any user that views the uploaded resource.

Affected Systems

The vulnerability affects the Bludit content management system. All released versions up to and including 3.18.2 are confirmed vulnerable, and later releases may also remain susceptible if the issue is not addressed. Site operators using any pre‑3.18.2 version should inspect their upload directories for SVG files that might be stored or served publicly.

Risk and Exploitability

The CVSS v3 score of 4.8 denotes moderate severity, and the EPSS score of less than 1% indicates that exploitation has not yet been widely reported. The flaw is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be authenticated and possess upload privileges, but the resulting resource is served without authentication, exposing all site visitors to the malicious payload. Until an official patch becomes available, the risk remains moderate to high because any authenticated content uploader could introduce a malicious SVG that compromises unprivileged users.

Generated by OpenCVE AI on April 2, 2026 at 05:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable SVG uploads by removing file‐type allowance in the upload configuration
  • Remove any existing SVG files from the public upload directory
  • Restrict uploaded SVGs to a dedicated, non‑browser served location and serve them with the "Content‑Security‑Policy: script-src 'none'" header
  • Apply vendor updates or patches once they are released to address the issue
  • Continuously monitor the Bludit security advisories for new fixes or workarounds

Generated by OpenCVE AI on April 2, 2026 at 05:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bludit:bludit:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Bludit
Bludit bludit
Vendors & Products Bludit
Bludit bludit

Fri, 27 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An authenticated attacker with content upload privileges (such as Author, Editor, or Administrator) can upload an SVG file containing a malicious payload, which is executed when a victim visits the URL of the uploaded resource. The uploaded resource itself is accessible without authentication. The vendor was notified early about this vulnerability, but stopped responding in the middle of coordination. All versions up to 3.18.2 are considered to be vulnerable, future versions might also be vulnerable.
Title Stored XSS via SVG File Upload in Bludit
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Bludit Bludit
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-27T12:43:37.644Z

Reserved: 2026-01-29T12:40:23.880Z

Link: CVE-2026-25100

cve-icon Vulnrichment

Updated: 2026-03-27T12:43:32.157Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T12:16:20.030

Modified: 2026-04-01T13:56:52.570

Link: CVE-2026-25100

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:40Z

Weaknesses